SAN FRANCISCO--Security professionals need to press their vendors to be more forthcoming about vulnerabilities...
and other security information, Mozilla's security chief said Monday in a keynote at IT Security World here.
Security isn't a priority for a lot of software developers, but users can get them to change, Window Snyder said. "You have the power in this relationship…Ask vendors for more than marketing claims about security," she said. "They could be a lot more open about their process. It's up to you guys to get vendors to talk more."
Microsoft, for example, began paying more attention to security after hearing from customers about security issues with Windows XP, she said. "For other software vendors, it can be hard for them to justify changes if they're not hearing from customers," said Snyder, who helped spearhead the development of Service Pack 2 for XP when she was with Microsoft.
While sharing information about security issues can lead to a perception that a company isn't secure, that situation is changing, she said. When vendors communicate what they're doing about security – not just how they're fixing vulnerabilities, but their security development and training efforts -- it can build confidence, she said, adding, "I'm a big fan of over-communicating when it comes to security issues."
At Mozilla, which is best known for producing the Firefox browser, Snyder said she's adamant about transparency when to it comes to security. "Our source code is open and available to everyone," she said. "The industry doesn't have to take our word for it."
She outlined some of the organization's security efforts, including its work to develop security metrics, which will include vulnerability severity, find rate/fix rate, and time for patch deployment. Basing security simply on the number of vulnerabilities found is a useless metric, she said, adding that it only provides incentive for vendors to keep quiet about bugs.
On the code review side, Snyder said she's a big fan of fuzzers, which she said produce minimal false positives and mimic the way attackers work. Mozilla has made its fuzzers available to the industry. Outside security consultants also are a good way to bring in an objective eye to the development process, she said.
Snyder criticized vendors that package security vulnerabilities into major service packs, which she said gives them time to test patches but opens up users to risks. "I urge you to tell your vendors to weigh the benefit of monster test pass service packs," she said.
She also took a dig at Google for issuing updates for its new Chrome browser without prompting the user. That could be a problem for IT departments if the update breaks a function, she said.